Simon Tatham [Sat, 7 Nov 2015 13:34:14 +0000 (13:34 +0000)]
Fix a build failure coming from the fuzzing branch.
Apparently if you maintain a branch for a long time where you only
compile with a non-default ifdef enabled, it becomes possible to not
notice a typo you left in the default branch :-)
Simon Tatham [Sat, 7 Nov 2015 09:54:05 +0000 (09:54 +0000)]
Merge tag '0.66'
This brings in the rest of the 0.66 branch, including some changes new
on master.
Conflicts:
doc/plink.but
sshrsa.c
(The conflicts were both trivial: in one, the addition of an extra
parameter to rsa2_newkey on master happened on the line next to 0.66's
addition of a check for NULL return value, and in the other, I'd got
the version number in the plink -h transcript messed up on master.)
Simon Tatham [Sat, 7 Nov 2015 09:14:42 +0000 (09:14 +0000)]
Initial 'merge -s ours' from 0.66 release branch.
Everything up to here on the release branch is cherry-picks from
master anyway, and some of their cherry-picked forms conflict with the
current state of master due to further work, so here I'm just
recording an ancestry relation to indicate that there's nothing up to
here on 0.66 that master hasn't got.
Simon Tatham [Fri, 25 Sep 2015 15:03:47 +0000 (16:03 +0100)]
Fix winhandl.c's failure to ever free a foreign handle.
Handles managed by winhandl.c have a 'busy' flag, which is used to
mean two things: (a) is a subthread currently blocked on this handle
so various operations in the main thread have to be deferred until it
finishes? And (b) is this handle currently one that should be returned
to the main loop to be waited for?
For HT_INPUT and HT_OUTPUT, those things are either both true or both
false, so a single flag covering both of them is fine. But HT_FOREIGN
handles have the property that they should always be waited for in the
main loop, but no subthread is blocked on them. The latter means that
operations done on them in the main thread should not be deferred; the
only such operation is cleaning them up in handle_free().
handle_free() was failing to spot this, and was deferring freeing
HT_FOREIGN handles until their subthread terminated - which of course
never happened. As a result, when a named pipe server was closed, its
actual Windows event object got destroyed, but winhandl.c still kept
passing it back to the main thread, leading to a tight loop because
MsgWaitForMultipleObjects would return ERROR_INVALID_HANDLE and never
block.
Simon Tatham [Sun, 9 Aug 2015 20:18:27 +0000 (21:18 +0100)]
Add a FAQ for 'checksum mismatch' reports.
The aim is to try to reduce the incidence of the two least helpful
classes of those reports: the ones which have just got mismatched
checksum files, and the ones which don't tell us the information that
would help.
Ben Harris [Sun, 18 Oct 2015 12:04:58 +0000 (13:04 +0100)]
Add FUZZING support to ssh.c.
This adds the "none" cipher and MAC, and also disables kex signure
verification and host-key checking. Since a client like this is
completely insecure, it also rewrites the client version string to
start "ISH", which should make it fail to interoperate with a real SSH
server. The server version string is still expected to begin "SSH" so
the real packet captures can be used against it.
Ben Harris [Sat, 17 Oct 2015 20:00:31 +0000 (21:00 +0100)]
Handle packets with no type byte by returning SSH_MSG_UNIMPLEMENTED.
The previous assertion failure is obviously wrong, but RFC 4253 doesn't
explicitly declare them to be a protocol error. Currently, the incoming
packet isn't logged, which might cause some confusion for log parsers.
Ben Harris [Sat, 17 Oct 2015 15:26:51 +0000 (16:26 +0100)]
Add FUZZING build option that disables the random number generator.
Starting up the random number generator is by far the slowest part of
plink's startup, and randomness is bad for fuzzing, so disabling it
should make fuzzing more effective.
Ben Harris [Sat, 17 Oct 2015 13:06:06 +0000 (14:06 +0100)]
Add an explicit PROXY_FUZZ that just feeds a file into the backend.
This saves the need to fork and exec "cat", which should speed things
up. It also ensures that the network output goes to /dev/null, which
should avoid problems with blocking when writing to a full pipe.
Ben Harris [Tue, 13 Oct 2015 19:33:12 +0000 (20:33 +0100)]
Check the x argument to check_boundary() more carefully.
This is a minimal fix for CVE-2015-5309, and while it's probably
unnecessary now, it seems worth committing for defence in depth and to
give downstreams something reasonably non-intrusive to cherry-pick.
Ben Harris [Wed, 7 Oct 2015 22:54:39 +0000 (23:54 +0100)]
More robust control sequence parameter handling.
Parameters are now accumulated in unsigned integers and carefully checked
for overflow (which is turned into saturation). Things that consume them
now have explicit range checks (again, saturating) to ensure that their
inputs are sane. This should make it much harder to cause overflow by
supplying ludicrously large numbers.
Fixes two bugs found with the help of afl-fuzz. One of them may be
exploitable and is CVE-2015-5309.
Ben Harris [Tue, 13 Oct 2015 19:33:12 +0000 (20:33 +0100)]
Check the x argument to check_boundary() more carefully.
This is a minimal fix for CVE-2015-5309, and while it's probably
unnecessary now, it seems worth committing for defence in depth and to
give downstreams something reasonably non-intrusive to cherry-pick.
Ben Harris [Wed, 7 Oct 2015 22:54:39 +0000 (23:54 +0100)]
More robust control sequence parameter handling.
Parameters are now accumulated in unsigned integers and carefully checked
for overflow (which is turned into saturation). Things that consume them
now have explicit range checks (again, saturating) to ensure that their
inputs are sane. This should make it much harder to cause overflow by
supplying ludicrously large numbers.
Fixes two bugs found with the help of afl-fuzz. One of them may be
exploitable and is CVE-2015-5309.
Ben Harris [Sat, 17 Oct 2015 20:00:31 +0000 (21:00 +0100)]
Handle packets with no type byte by returning SSH_MSG_UNIMPLEMENTED.
The previous assertion failure is obviously wrong, but RFC 4253 doesn't
explicitly declare them to be a protocol error. Currently, the incoming
packet isn't logged, which might cause some confusion for log parsers.
Simon Tatham [Sat, 24 Oct 2015 15:44:37 +0000 (16:44 +0100)]
Initialise the random state in ssh_test_for_upstream().
This protects the Unix platform sharing code in the case where no salt
file exists yet in the connection-sharing directory, in which case
make_dirname() will want to create one by using some random bytes, and
prior to this commit, would fail an assertion because the random
number generator wasn't set up.
It would be neater to just return FALSE from ssh_test_for_upstream in
that situation - if there's no salt file, then no sharing socket can
be valid anyway - but that would involve doing more violence to the
code structure than I'm currently prepared to do for a minor elegance
gain.
Simon Tatham [Fri, 25 Sep 2015 08:23:26 +0000 (09:23 +0100)]
Sanitise bad characters in log file names.
On Windows, colons are illegal in filenames, because they're part of
the path syntax. But colons can appear in automatically constructed
log file names, if an IPv6 address is expanded from the &H placeholder.
Now we coerce any such illegal characters to '.', which is a bit of a
bodge but should at least cause a log file to be generated.
Simon Tatham [Fri, 25 Sep 2015 08:15:21 +0000 (09:15 +0100)]
Shout more loudly if we can't open a log file.
A user points out that logging fopen failures to the Event Log is a
bit obscure, and it's possible to proceed for months in the assumption
that your sessions are being correctly logged when in fact the
partition was full or you were aiming them at the wrong directory. Now
we produce output visibly in the PuTTY window.
Simon Tatham [Thu, 24 Sep 2015 16:30:04 +0000 (17:30 +0100)]
Command-line options to log sessions.
Log files, especially SSH packet logs, are often things you want to
generate in unusual circumstances, so it's good to have lots of ways
to ask for them. Particularly, it's especially painful to have to set
up a custom saved session to get diagnostics out of the command-line
tools.
I've added options '-sessionlog', '-sshlog' and '-sshrawlog', each of
which takes a filename argument. I think the fourth option (session
output but filtered down to the printable subset) is not really a
_debugging_ log in the same sense, so it's not as critical to have an
option for it.
Simon Tatham [Sat, 17 Oct 2015 16:30:53 +0000 (17:30 +0100)]
Fix spurious EAGAIN in Plink host key (and other) prompts.
Plink sets standard input into nonblocking mode, meaning that read()
from fd 0 in an interactive context will typically return -1 EAGAIN.
But the prompt functions in uxcons.c, used for verifying SSH host keys
and suchlike, were doing an unguarded read() from fd 0, and then
panicking and aborting the session when they got EAGAIN.
Fixed by inventing a wrapper around read(2) which handles EAGAIN but
passes all other errors back to the caller. (Seemed slightly less
dangerous than the stateful alternative of temporarily re-blockifying
the file descriptor.)
Cherry-picker's notes: the conflict was a trivial one. The new
function block_and_read() by this commit appears just before
verify_ssh_host_key(), which has a new prototype on the source branch,
close enough to disrupt the patch hunk's context. Easily fixed.
Simon Tatham [Thu, 3 Sep 2015 18:04:54 +0000 (19:04 +0100)]
Key rollover: fix the .htaccess files built by Buildscr.
The build script generates the .htaccess files that go in each
individual build and redirect generic names like 'putty.tar.gz' to the
real filenames including that build's version number. Those .htaccess
files redirect the corresponding signatures as well, so they need
updating now that we're generating signature files with a different
extension.
Simon Tatham [Wed, 2 Sep 2015 17:30:10 +0000 (18:30 +0100)]
Key rollover: switch to signing using the new keys.
sign.sh's command-line syntax has changed, so I've updated the sample
command line in CHECKLST as well. Also the file extensions of the
signatures have changed, so I've updated the pre-release verification
command line in CHECKLST too.
Simon Tatham [Tue, 1 Sep 2015 17:35:38 +0000 (18:35 +0100)]
pterm: set IUTF8 on pty devices depending on charset.
In a UTF-8 pterm, it makes sense to set the IUTF8 flag (on systems
that have one) on the pty device, so that line editing will take
account of UTF-8 multibyte characters.
Simon Tatham [Sun, 23 Aug 2015 13:13:30 +0000 (14:13 +0100)]
Performance: cache character widths returned from Pango.
Profiling reveals that pterm in Pango rendering mode uses an absurd
amount of CPU when it's not even actually _drawing_ the text, because
of all the calls to pango_layout_get_pixel_extents() while
pangofont_draw_text tries to work out which characters it can safely
draw as part of a long string. Caching the results speeds things up
greatly.
Simon Tatham [Sat, 22 Aug 2015 14:05:12 +0000 (15:05 +0100)]
'pterm --display' should set $DISPLAY inside the terminal.
If you open a pterm on a different display via the --display
command-line option rather than by setting $DISPLAY, I think (and
other terminals seem to agree) that it's sensible to set $DISPLAY
anyway for processes running inside the terminal.
Simon Tatham [Sat, 8 Aug 2015 12:35:44 +0000 (13:35 +0100)]
New formatting directive in logfile naming: &P for port number.
Users have requested this from time to time, for distinguishing log
file names when there's more than one SSH server running on different
ports of the same host. Since we do take account of that possibility
in other areas (e.g. we cache host keys indexed by (host,port) rather
than just host), it doesn't seem unreasonable to do so here too.
Simon Tatham [Thu, 6 Aug 2015 18:25:56 +0000 (19:25 +0100)]
Work around a failure in Windows 10 jump lists.
We've had several reports that launching saved sessions from the
Windows 10 jump list fails; Changyu Li reports that this is because we
create those IShellLink objects with a command line string starting
with @, and in Windows 10 that causes the SetArguments method to
silently do the wrong thing.
Simon Tatham [Sat, 1 Aug 2015 21:11:16 +0000 (22:11 +0100)]
Don't try to load GSSAPI libs unless we'll use them.
A user reports that in a particular situation one of the calls to
LoadLibrary from wingss.c has unwanted side effects, and points out
that this happens even when the saved session has GSSAPI disabled. So
I've evaluated as much as possible of the condition under which we
check the results of GSS library loading, and deferred the library
loading itself until after that condition says we even care about the
results.
Simon Tatham [Mon, 27 Jul 2015 19:06:02 +0000 (20:06 +0100)]
Handle the VK_PACKET virtual key code.
This is generated in response to the SendInput() Windows API call, if
that in turn is passed an KEYBDINPUT structure with KEYEVENTF_UNICODE
set. That method of input generation is used by programs such as
'WinCompose' to send an arbitrary Unicode character as if it had been
typed at the keyboard, even if the keyboard doesn't actually provide a
key for it.
Like VK_PROCESSKEY, this key code is an exception to our usual policy
of manually translating keystrokes: we handle it by calling
TranslateMessage, to get back the Unicode character it contains as a
WM_CHAR message.
(If that Unicode character in turn is outside the BMP, it may come
back as a pair of WM_CHARs in succession containing UTF-16 surrogates;
if so, that's OK, because the new Unicode WM_CHAR handler can cope.)
Simon Tatham [Mon, 27 Jul 2015 19:06:02 +0000 (20:06 +0100)]
Turn the Windows PuTTY main window into a Unicode window.
This causes WM_CHAR messages sent to us to have a wParam containing a
16-bit value encoded in UTF-16, rather than an 8-bit value encoded in
the system code page.
As far as I can tell, there aren't many other knock-on effects - e.g.
you can still interact with the window using ordinary char-based API
functions such as SetWindowText, and the Windows API will do the
necessary conversions behind the scenes. However, even so, I'm half
expecting some sort of unforeseen bug to show up as a result of this.
Simon Tatham [Mon, 27 Jul 2015 19:06:02 +0000 (20:06 +0100)]
New centralised helper function dup_mb_to_wc().
PuTTY's main mb_to_wc() function is all very well for embedding in
fiddly data pipelines, but for the simple job of turning a C string
into a C wide string, really I want something much more like
dupprintf. So here is one.
I've had to put it in a new separate source file miscucs.c rather than
throwing it into misc.c, because misc.c is linked into tools that
don't also include a module providing the internal Unicode API (winucs
or uxucs). The new miscucs.c appears only in Unicode-using tools.
Simon Tatham [Sat, 25 Jul 2015 10:28:32 +0000 (11:28 +0100)]
Post-0.65 release checklist updates.
The -F option is no longer needed to bob in this situation; that
hasn't been the directory I keep release announcements in for a long
time; the Docs page needs adjusting for pre-release retirement as well
as the Downloads page.
Simon Tatham [Mon, 28 Sep 2015 19:18:58 +0000 (20:18 +0100)]
Make 'extend selection' mouse button work again.
I broke it as a side effect of commit 30e63c105, in which I intended
to ignore mouse drag events that hadn't been preceded by a click. I
didn't spot that right-clicks (assuming Unix-style button mappings) go
through the same code path as left-drags, and hence were being ignored
even though they _were_ their own initiating click.
Simon Tatham [Mon, 28 Sep 2015 18:52:38 +0000 (19:52 +0100)]
Include stdint.h (where available) for uintptr_t.
Commit f2e61275f introduced the use of uintptr_t, without adding an
include of <stdint.h> which is where the C standard says that type
should be defined. This didn't cause a build failure, because Visual
Studio also defines it in <stddef.h> which we do include. But a user
points out that other Windows toolchains - e.g. MinGW - don't
necessarily do the same.
I can't add an unconditional include of <stdint.h>, because the VS I
use for the current official builds doesn't have that header at all.
So I conditionalise it out for old VS; if it needs throwing out for
any other toolchain, I'll add further conditions as reports come in.
Simon Tatham [Sat, 26 Sep 2015 13:17:51 +0000 (14:17 +0100)]
Set GTK3 as the default, and stop marking it unfinished.
Today I've gone through the whole GTK front end, doing a manual test
of every piece of code that I either remembered having had to fiddle
with for GTK3, or suddenly realised I _should_ have fiddled with. I've
fixed all the bugs arising from that exercise; and what with that, the
fact that the new Cairo image surface strategy makes server-side font
handling _faster_ in GTK3 than in GTK2, and the fact that GTK3 also
supports the shiny new smooth scrolling system for touchpads, I
suddenly think that the GTK3 build is now at least as good as GTK2.
So I've switched the configure script over to picking it by default if
it can, and I've also removed the 'unfinished and experimental'
warning if you select it. I for one will now start using GTK3 PuTTY
and pterm for my day-to-day work.
Simon Tatham [Sat, 26 Sep 2015 13:13:56 +0000 (14:13 +0100)]
Widen the GTK askalg() message box.
In GTK3, the line 'Continue with connection?' got wrapped (in spite of
my attempt to enforce via string_width() that it didn't - probably a
few pixels were needed on top of that for various padding and
furniture) so it looked even sillier. But it looked a bit narrow to be
sensible even in GTK2, so the simplest answer is just to widen it
considerably.
Simon Tatham [Sat, 26 Sep 2015 13:09:27 +0000 (14:09 +0100)]
Make sure Escape terminates the About box.
I think it only did so in GTK2 by virtue of the About box being a
GtkDialog. But in GTK3 I've abandoned GtkDialog for not being flexible
enough, so I have to process the Escape key myself.
Simon Tatham [Sat, 26 Sep 2015 12:57:12 +0000 (13:57 +0100)]
Make sure Escape in a message box always does something.
The askalg() dialog, and several one-button things like the licence
box, have no button labelled 'cancel'. But in all cases we do want
Escape to terminate the box, with as negative an answer as is
available. So now we assign the 'iscancel' flag to any button whose
numeric value is the smallest of the ones given as input to
messagebox().
(In a one-button box, this leads to isdefault and iscancel _both_
being set for that button. That's fine; it works.)
Simon Tatham [Sat, 26 Sep 2015 12:22:49 +0000 (13:22 +0100)]
Fix GTK keyboard-shortcut focusing of CTRL_LISTBOX.
I had put an entire piece of code into win_key_press's SHORTCUT_UCTRL
handler to carefully handle all the different kinds of list box
control and do something sensible with each one, and then I just went
and used a generic SHORTCUT_FOCUS type shortcut instead of actually
_calling_ all that carefully prepared code.
Now selecting (say) the character-classes list box in the Selection
panel using its Alt-e shortcut works; also, shortcut-selecting a popup
menu such as the ones in the Bugs panel causes the menu to pop up,
which I think is nicer than what previously happened.
Simon Tatham [Sat, 26 Sep 2015 12:12:25 +0000 (13:12 +0100)]
Permit the config box treeview to be keyboard-selected.
I'd failed to set the widget field in its shortcut structure, leading
to an annoying GTK warning log message and no useful UI action when
Alt-G was pressed in the config box.
Simon Tatham [Sat, 26 Sep 2015 11:59:26 +0000 (12:59 +0100)]
Remove a couple of outdated FIXME comments.
I had originally planned to implement a Compose-type key locally in
GTK PuTTY, as I did in Windows PuTTY. But in fact we've done this for
some time by delegating to the GTK IM system, which is a far better
idea anyway. So there's no point any more having the FIXME comment
that mentions Compose keys.
Also, there was a comment worrying about what I was going to do about
double-width characters in Pango, which is long since sorted out.
Simon Tatham [Sat, 26 Sep 2015 10:48:21 +0000 (11:48 +0100)]
Add some missing GTK focus-in event handlers.
Fixes a behaviour which I intended all along but apparently didn't
work before on GTK: if you start PuTTY, _select_ a saved session in
the list box but don't hit Load, and then just hit Open, then it will
be implicitly loaded and run for you, as a special case to save you an
extra button-press.
This depends on noticing that the saved-sessions list box last had the
focus, for which I need my widget_focus() handler to be called for
basically all config widgets so that I can track what _did_ last have
focus. Unfortunately, I missed a couple out.
Simon Tatham [Sat, 26 Sep 2015 10:09:20 +0000 (11:09 +0100)]
Don't defer displaying the prompt label in gtkask.
The previous sequence of events was that I would display the window
synchronously (via gtk_widget_show_now), so that I knew it was
actually on the screen and realised as an X window, and then I'd grab
the keyboard, and once the keyboard was grabbed, connect up the
keyboard event handlers and display the prompt.
I have to assume that deferring the display of the 'enter the
passphrase' prompt until the keyboard handlers were set up was
intended as some sort of 'not misleading the user' measure - don't
tell them to start typing until we're actually ready to start typing.
But unfortunately it has the side effect that the window is displayed
at a much smaller size before the prompt label appears, and centred on
the screen according to _that_ size - and then we display the prompt
label and the window resizes and is now off-centre. So I think it's
better not to try to be clever, and just make the window come up at
the right size initially.
(Actually, it looks as if nothing in the window is actually drawn
until that whole init function is finished anyway, so the prompt label
_already_ doesn't get physically displayed too early. So the whole
idea was pointless in the first place!)
Simon Tatham [Sat, 26 Sep 2015 09:42:02 +0000 (10:42 +0100)]
Visually distinguish charset headings in GTK3 unifontsel.
When displaying a server-side font, the unified font selector's
font-style list box contains some lines which are character-set
headings, and others which are actually selectable font styles. We tag
the former with the "sensitive"=FALSE attribute, to prevent them from
responding to clicks. In GTK2, this also made them visually distinct
from the normal lines, by greying them out; in GTK3 it makes no visual
difference.
The simplest solution is to bold those lines, hinting that they're
sort of section headings. That looks OK in GTK2 as well, so I've done
it unconditionally.
Simon Tatham [Sat, 26 Sep 2015 09:18:53 +0000 (10:18 +0100)]
Fix combining character handling in Pango.
The top-level loop in gtkwin.c which draws text was expecting that the
right way to draw a printing character plus combining characters was
to overprint them one by one on top of each other. This is an OK
assumption for X bitmap fonts, but in Pango, it works very badly -
most obviously because asking Pango to display a combining char on its
own causes it to print a dotted circle representing the base char, but
also because surely there will be character combinations where Pango
wants to do something more sophisticated than just printing them each
at a standard offset, and it would be a shame not to let it.
So I've moved the previous overprinting loop down into the x11font
subclass of the unifont mechanism. The top-level gtkwin.c drawing code
now calls a new method unifont_draw_combining, which in the X11 case
does the same loop as before, but in the Pango case, just passes a
whole base+combinings string to Pango in one go and lets it do the
best job it can.
Simon Tatham [Fri, 25 Sep 2015 15:03:47 +0000 (16:03 +0100)]
Fix winhandl.c's failure to ever free a foreign handle.
Handles managed by winhandl.c have a 'busy' flag, which is used to
mean two things: (a) is a subthread currently blocked on this handle
so various operations in the main thread have to be deferred until it
finishes? And (b) is this handle currently one that should be returned
to the main loop to be waited for?
For HT_INPUT and HT_OUTPUT, those things are either both true or both
false, so a single flag covering both of them is fine. But HT_FOREIGN
handles have the property that they should always be waited for in the
main loop, but no subthread is blocked on them. The latter means that
operations done on them in the main thread should not be deferred; the
only such operation is cleaning them up in handle_free().
handle_free() was failing to spot this, and was deferring freeing
HT_FOREIGN handles until their subthread terminated - which of course
never happened. As a result, when a named pipe server was closed, its
actual Windows event object got destroyed, but winhandl.c still kept
passing it back to the main thread, leading to a tight loop because
MsgWaitForMultipleObjects would return ERROR_INVALID_HANDLE and never
block.
Simon Tatham [Fri, 25 Sep 2015 14:11:44 +0000 (15:11 +0100)]
Support smooth scrolling in GTK3.
Touchpad gestures can generate much smoother scrolling events than the
discrete increments of mouse wheels. GDK3 supports this by means of a
new kind of scroll event, with direction GDK_SCROLL_SMOOTH and a
floating-point delta value. Added support for this; so in GTK3 mode,
you can now touchpad-scroll at a granularity of one line rather than
five, but in mouse tracking mode, scroll events are still grouped into
5-line chunks for purposes of turning them into escape sequences to
send to the server.
Simon Tatham [Fri, 25 Sep 2015 13:09:57 +0000 (14:09 +0100)]
Make scroll events work again in GTK3.
Apparently, if you don't specify GDK_SMOOTH_SCROLL_MASK in a widget's
event mask, then you don't receive "scroll_event" signals at all, even
of the non-smooth variety that was all GTK2 had. Hence, neither mouse
scroll wheels nor touchpad scroll gestures seem to generate any
response.
Adding GDK_SMOOTH_SCROLL_MASK brings the old scroll events back again,
so this is at least no worse than GTK2 was. But in GTK3 we _ought_ to
be able to do better still, by supporting smooth scrolling from
touchpads; this commit doesn't do that.
Simon Tatham [Fri, 25 Sep 2015 11:45:08 +0000 (12:45 +0100)]
Remove an accidentally committed diagnostic.
Forgot to remove this after debugging a development-time problem with
the new EPIPE special case. One of these days I'm going to have to set
up an automated way to protect against this kind of mistake...
Simon Tatham [Fri, 25 Sep 2015 11:05:55 +0000 (12:05 +0100)]
Avoid logging pre-verstring EPIPE from sharing downstreams.
If you use the new 'plink -shareexists' feature, then on Unix at least
it's possible for the upstream to receive EPIPE, because the
downstream makes a test connection and immediately closes it, so that
upstream fails to write its version string.
This looks a bit ugly in the upstream's Event Log, so I'm making a
special case: an error of 'broken pipe' type, which occurs on a socket
from a connection sharing downstream, before we've received a version
string from that downstream, is treated as an unusual kind of normal
connection termination and not logged as an error.
Simon Tatham [Fri, 25 Sep 2015 10:46:28 +0000 (11:46 +0100)]
New Plink operating mode: 'plink -shareexists'.
A Plink invocation of the form 'plink -shareexists <session>' tests
for a currently live connection-sharing upstream for the session in
question. <session> can be any syntax you'd use with Plink to make the
actual connection (a host/port number, a bare saved session name,
-load, whatever).
I envisage this being useful for things like adaptive proxying - e.g.
if you want to connect to host A which you can't route to directly,
and you might already have a connection to either of hosts B or C
which are viable proxies, then you could write a proxy shell script
which checks whether you already have an upstream for B or C and goes
via whichever one is currently active.
Testing for the upstream's existence has to be done by actually
connecting to its socket, because on Unix the mere existence of a
Unix-domain socket file doesn't guarantee that there's a process
listening to it. So we make a test connection, and then immediately
disconnect; hence, that shows up in the upstream's event log.
Simon Tatham [Fri, 25 Sep 2015 11:06:06 +0000 (12:06 +0100)]
Actually set the 'got_verstring' flag in sshshare.c!
For each connection to a downstream I had a flag indicating that we'd
sent a version string to that downstream, and one indicating that we'd
received one in return. But I never actually set the latter to TRUE -
which was OK, as it turned out, because I never used it for anything
either.
Now I do want to use it, so I'd better actually set it :-)
Simon Tatham [Fri, 25 Sep 2015 09:58:29 +0000 (10:58 +0100)]
Factor out ssh_hostport_setup().
This is the part of ssh.c's connect_to_host() which figures out the
host name and port number that logically identify the connection -
i.e. not necessarily where we physically connected to, but what we'll
use to look up the saved session cache, put in the window title bar,
and give to the connection sharing code to identify other connections
to share with.
I'm about to want to use it for another purpose, so it needs to be
moved out into a separate function.
Simon Tatham [Fri, 25 Sep 2015 09:58:05 +0000 (10:58 +0100)]
Factor out ssh_share_sockname().
This is the part of ssh_connection_sharing_init() which decides on the
identifying string to pass to the platform sharing setup. I'm about to
want to use it for another purpose, so it needs to be moved into a
separate function.
Simon Tatham [Fri, 25 Sep 2015 09:05:57 +0000 (10:05 +0100)]
Fix misplaced separator in GTK3 dialog boxes.
When I abandoned GtkDialog for GtkWindow (in dc11417ae), I manually
added a horizontal GtkSeparator between the content and action areas.
Or rather, I tried to - but I forgot that gtk_box_pack_end works in
the opposite order, so that you have to add the bottom-most element
first and then the one you want to appear above it. So my separator
was below the action area, rather than between it and the content
area.
Simon Tatham [Fri, 25 Sep 2015 08:52:19 +0000 (09:52 +0100)]
Fix window resizing in GTK 3 PuTTY.
In GTK 3, it was impossible to resize the window smaller than it
started off, because the size request on the drawing area was taken as
a minimum. (I can't actually remember how the GTK 2 version doesn't
have this problem too.)
Fixed by instead setting the initial window size using
gtk_window_set_default_geometry() (having first set up the geometry
hints to reflect the character cell size).
Simon Tatham [Fri, 25 Sep 2015 08:23:26 +0000 (09:23 +0100)]
Sanitise bad characters in log file names.
On Windows, colons are illegal in filenames, because they're part of
the path syntax. But colons can appear in automatically constructed
log file names, if an IPv6 address is expanded from the &H placeholder.
Now we coerce any such illegal characters to '.', which is a bit of a
bodge but should at least cause a log file to be generated.
Simon Tatham [Fri, 25 Sep 2015 08:15:21 +0000 (09:15 +0100)]
Shout more loudly if we can't open a log file.
A user points out that logging fopen failures to the Event Log is a
bit obscure, and it's possible to proceed for months in the assumption
that your sessions are being correctly logged when in fact the
partition was full or you were aiming them at the wrong directory. Now
we produce output visibly in the PuTTY window.
Simon Tatham [Thu, 24 Sep 2015 16:47:10 +0000 (17:47 +0100)]
Centralise stripslashes() and make it OS-sensitive.
I noticed that Unix PSCP was unwantedly renaming downloaded files
which had a backslash in their names, because pscp.c's stripslashes()
treated \ as a path component separator, since it hadn't been modified
since PSCP ran on Windows only.
It also turns out that pscp.c, psftp.c and winsftp.c all had a
stripslashes(), and they didn't all have quite the same prototype. So
now there's one in winsftp.c and one in uxsftp.c, with appropriate
OS-dependent behaviour, and the ones in pscp.c and psftp.c are gone.
Simon Tatham [Thu, 24 Sep 2015 16:30:04 +0000 (17:30 +0100)]
Command-line options to log sessions.
Log files, especially SSH packet logs, are often things you want to
generate in unusual circumstances, so it's good to have lots of ways
to ask for them. Particularly, it's especially painful to have to set
up a custom saved session to get diagnostics out of the command-line
tools.
I've added options '-sessionlog', '-sshlog' and '-sshrawlog', each of
which takes a filename argument. I think the fourth option (session
output but filtered down to the printable subset) is not really a
_debugging_ log in the same sense, so it's not as critical to have an
option for it.
Simon Tatham [Thu, 24 Sep 2015 13:08:25 +0000 (14:08 +0100)]
Use a Cairo image surface as a client-side cache.
In any DRAWTYPE_CAIRO mode, we now do all our Cairo drawing to a Cairo
image surface which lives on the client; then we either blit directly
from that to the window (if we're in GTK3 mode, or GTK2 without
deprecated pieces of API), or else we blit from the Cairo surface to
the server-side pixmap and then from there to the actual window.
In DRAWTYPE_GDK mode, nothing much has changed: we still draw directly
to the server-side pixmap using the GDK drawing API, then blit from
there to the window. But there is one change, namely that the blit is
no longer done proactively - instead, we queue a redraw of the
affected rectangle, and wait until we're called back by the expose
handler.
The main aim of all this is to arrange that the only time we ever draw
to the real window is in response to expose/draw events. The
experimental GTK3 OS X port stopped working a week or two ago (I
presume in response to an OS update) with the symptoms that attempts
to draw on the window outside the context of a "draw" event handler
just didn't seem to work any more; this change fixes it.
In addition to that benefit, this change also has obvious performance
advantages in principle. No more expensive text rendering in response
to an expose event - just re-copy to the window from the bitmap we
already have, from wherever it's stored that's nearest.
Moreover, this seems to have fixed the significant performance problem
with X server-side fonts under GTK. I didn't expect _that_! I'd
guessed that the approach of downloading character bitmaps and
rendering them manually via Cairo was just inherently slow for some
reason. I've no real idea _why_ this change improves matters so much;
my best guess is that perhaps there's an overhead in each drawing
operation to a GDK Cairo surface, so we win by doing lots of
operations to a much faster image surface and then batching them up
into one GDK Cairo operation. But whyever it is, I'm certainly not
complaining!
(In fact, it now seems to be noticeably _faster_, at least on my usual
local X displays, to draw server-side fonts using that technique than
using the old GDK approach. I may yet decide to switch over...)
Simon Tatham [Thu, 24 Sep 2015 10:58:44 +0000 (11:58 +0100)]
Fix spurious EAGAIN in Plink host key (and other) prompts.
Plink sets standard input into nonblocking mode, meaning that read()
from fd 0 in an interactive context will typically return -1 EAGAIN.
But the prompt functions in uxcons.c, used for verifying SSH host keys
and suchlike, were doing an unguarded read() from fd 0, and then
panicking and aborting the session when they got EAGAIN.
Fixed by inventing a wrapper around read(2) which handles EAGAIN but
passes all other errors back to the caller. (Seemed slightly less
dangerous than the stateful alternative of temporarily re-blockifying
the file descriptor.)
Simon Tatham [Thu, 24 Sep 2015 10:41:43 +0000 (11:41 +0100)]
Don't try to agree a MAC we'll never use.
If we've chosen the ChaCha20-Poly1305 option for a cipher, then that
forces the use of its associated MAC. In that situation, we should
avoid even _trying_ to figure out a MAC by examining the MAC string
from the server's KEXINIT, because we won't use the MAC selected by
that method anyway, so there's no point imposing the requirement on
servers to present a MAC we believe in just so we know it's there.
This was breaking interoperation with tinysshd, and is in violation of
OpenSSH's spec for the "chacha20-poly1305@openssh.com" cipher.
Simon Tatham [Thu, 10 Sep 2015 07:10:52 +0000 (08:10 +0100)]
Split ssh2_cipher's keylen field into two.
The revamp of key generation in commit e460f3083 made the assumption
that you could decide how many bytes of key material to generate by
converting cipher->keylen from bits to bytes. This is a good
assumption for all ciphers except DES/3DES: since the SSH DES key
setup ignores one bit in every byte of key material it's given, you
need more bytes than its keylen field would have you believe. So
currently the DES ciphers aren't being keyed correctly.
The original keylen field is used for deciding how big a DH group to
request, and on that basis I think it still makes sense to keep it
reflecting the true entropy of a cipher key. So it turns out we need
two _separate_ key length fields per cipher - one for the real
entropy, and one for the much more obvious purpose of knowing how much
data to ask for from ssh2_mkkey.
A compensatory advantage, though, is that we can now measure the
latter directly in bytes rather than bits, so we no longer have to
faff about with dividing by 8 and rounding up.
Simon Tatham [Sun, 6 Sep 2015 08:50:09 +0000 (09:50 +0100)]
New script to generate OS X icon files.
The Xcode icon composer doesn't seem to exist any more in modern
versions of Xcode, or at least if it does then it's well hidden and
certainly doesn't live at the top-level path at /Developer where web
pages still claim it can be found.
There is a free software 'libicns' and associated command-line tools,
but they're large, complicated, picky about the exact format of PNGs
they get as input, and in any case a needless extra build dependency
when it turns out the important parts of the file format can be done
in a few dozen lines of Python. So here's a new macicon.py, and
icons/Makefile additions to build a demo icon for OS X PuTTY, as and
when I finally get it working.
Also I've deleted the static icon file in the neglected 'macosx'
source directory, because this one is better anyway - the old one was
appalling quality, and must have been autogenerated from a single
image in some way.
Simon Tatham [Sun, 6 Sep 2015 08:13:48 +0000 (09:13 +0100)]
Clean up GTK keyboard event diagnostics.
When I introduced the KEY_EVENT_DIAGNOSTICS system last month in
commit 769600b22, I somehow didn't notice that it sat next to an
existing system of ifdefs labelled KEY_DEBUGGING, which did some
things worse but some things better.
Now I've expanded both of those into a fairly complete system of
diagnostics (keeping the newer name of KEY_EVENT_DIAGNOSTICS), and
made them use debug() rather than printf() so that in situations where
no standard output is available I can still retrieve the diagnostics
from debug.log.
projects / PuTTY.git / log